GDPR risks for retailers – it’s not all about fines: Mini-series 1 – DSARsPrint publication
Much of the focus in the retail and legal press in recent months has been on the eye-watering level of fines which data protection regulators can impose for infringements of the new EU General Data Protection Regulation (GDPR) legislation . However in this mini-series Walker Morris’ Heads of Regulatory & Compliance and Commercial Dispute Resolution, Jeanette Burgess and Gwendoline Davies, offer practical advice in light of other GDPR-related risks which are becoming increasingly prevalent issues for retailers.
In this first briefing, Jeanette and Gwendoline look at data subject access requests (DSARs).
GDPR delivers new and enhanced rights for individuals in relation to their personal data, including the right of access, the right to rectification, the right to be forgotten, the right to object to or restrict processing, the right to data portability, and rights related to automated decision-making . GDPR also introduces certain direct obligations on data processors and the requirement for detailed contractual obligations to be implemented between all data controllers and processors. There are also new mandatory notification requirements in relation to data breaches (including informing individuals directly without undue delay, if the breach is likely to result in a high risk to their rights and freedoms), and specific requirements in relation to documentation and record-keeping – part of the universal principle of accountability under the new regime.
There can be little doubt that, aided by the recent bombardment of GDPR-related emails, consumers are becoming increasingly aware of their status as data subjects and emboldened in relation to the exercise of their data protection rights. Add to that the ever-present threat of increasingly sophisticated cyber-attacks, recent high-profile data breaches, and incidents such as the Facebook/Cambridge Analytica scandal, and it is no surprise that individuals want more control over their data, reassurance about how it is used, managed and protected, and the ability to seek appropriate redress when things go wrong.
Last month, however, Retail Week reported that some retailers are struggling to comply with their GDPR obligations. Examples given by Retail Week of some of the difficulties faced by retailers include the volume of DSARs being received and the tight timescales within which retailers must respond. Perhaps even worse, when Tesco did respond (late) to a DSAR submitted to it by a Retail Week staff member, its response was not legally compliant, and could have given rise to a claim.
With GDPR placing an increased level of responsibility on those who process personal data whilst, at the same time, online shopping and digital marketing mean that data collection, processing and retention are more important than ever, the stakes for retailers have never been higher.
DSARs: What retailers need to know
The Data Protection Act 1998 (DPA) placed an obligation on any data controller receiving a DSAR to provide individuals (or, data subjects) with a copy of their personal data and related information unless that is not possible or would involve disproportionate effort, or unless the data sought is privileged (or falls within another of the few limited exemptions). The Data Protection Act 2018, which replaces the previous DPA and implements GDPR, introduced changes to the DSARs regime, reducing the time limit for a response from 40 days to 1 month (although the deadline can be extended by up to 2 months where requests are complex or numerous); and requiring that, in most circumstances, the information must be provided free of charge and, where a DSAR is made electronically, in a commonly used electronic format.
The extent of the data controller’s obligations when it comes to complying with DSARs has, however, been the source of some debate. The following key issues have now been confirmed in recent cases:
- Proportionality of searches and the ‘disproportionality exemption’
- “the correct approach is to examine what steps a data controller has taken, and then to ask if it would be disproportionate to require further steps to be taken to comply with the individual’s right of access. The burden of proof is on the data controller to show that it has taken all reasonable steps to comply with a [DSAR], and that it can rely on any specific exemptions to refuse to provide data”;
- There are substantial public policy reasons underpinning individuals’ DPA rights so that, where and so far as possible, DSARs should be enforced;
- Most data controllers are expected to understand their obligations to comply with DSARs and should have designed their systems to enable them to carry out searches to comply with DSARs relatively easily; and
- The Court of Appeal has indicated that it is likely to be a rare case in which the disproportionality exemption would apply .
- Motive for making the DSAR
- The Court of Appeal  has also emphasised that neither the DPA, nor the EU Data Protection Directive (95/46/EC) from which it derives, limit the purpose for which a DSAR may be made. On the contrary, the DSAR regime is ‘purpose-blind’. There is now therefore reliable authority that the motive behind the making of any DSAR should not matter and should not impact upon the data controller’s obligation to comply.
- However the court has a discretion to whether to compel compliance with a DSAR. Some of the (non-exhaustive) factors which can be taken into account include:
- whether there is a more appropriate route to obtaining the requested information (such as disclosure in legal proceedings);
- the nature and gravity of the breach and/or the level of prejudice suffered by the data subject;
- the reason for making the DSAR;
- whether the making of the DSAR amounts to an abuse of rights or procedural abuse;
- whether the request is really for documents rather than personal data; and
- the potential benefit to the data subject .
Retailers should be aware that DSARs are increasingly being used tactically, both prior to and alongside the litigation process. Here are our top tips for managing retailers’ risks and responsibilities:
- Education is essential. Apart from understanding the legal implications of a DSAR, all staff should be trained to recognise, and respond appropriately to, receipt of a DSAR.
- Retailers should ascertain all of the various sources within which they hold or control personal data. They should then assess whether the data systems that they already operate are sufficiently quickly and easily searchable, so that responding to DSARs can be as cost-effective as possible.
- Retailers must be aware of the 1 month timescale for responding to DSARs and ensure that their protocols take account of this very tight timescale.
- Whenever a retailer wishes to rely on the disproportionality exemption or legal privilege to avoid compliance, it should be prepared to justify that decision, with evidence in support. To do that, an initial critical review of data held will need to be undertaken and recorded – a blanket assertion of privilege or that it would be too difficult, costly or time-consuming to search through voluminous papers will not suffice.
- Retailers may also wish to assess any DSARs received against the ‘court’s discretion’ factors set out in Deer when deciding whether and how to respond. Retailers should note, however, that, if they get the assessment wrong or take too long, they could face intervention from the Information Commissioner’s Office and possible sanctions.
- In many cases it will be advisable for retailers to take urgent specialist advice immediately upon receipt of a DSAR. This will be particularly important where there is any ongoing or underlying dispute, which may involve associated legal and tactical risks.
If you require assistance in relation to any of the issues raised in this briefing, please do not hesitate to contact Jeanette or Gwendoline, who will be very happy to help.
 Up to 2 per cent of annual global turnover or €10 million, whichever is the greater, for violations relating to certain administrative data protection failings; and up to 4 per cent of annual global turnover or €20 million, whichever is the greater, for violations relating to certain more fundamental failings, such as breaches of any of the basic principles for processing personal data and breaches of data subjects’ rights.
 See our previous briefing for further information.
 Dawson-Damer & Ors v Taylor Wessing LLP  EWCA Civ 74
 Deer v University of Oxford and Ittihadieh v 5-11 Cheyne Gardens RTM Co Ltd & Ors  EWCA Civ 121